Lists Home |
Date Index |
- To: "Simon St.Laurent" <firstname.lastname@example.org>,<email@example.com>
- Subject: RE: RE: [xml-dev] The sky is falling! XML's dirty secret! Go back!It's a trap!
- From: "Joshua Allen" <firstname.lastname@example.org>
- Date: Thu, 30 May 2002 20:35:34 -0700
- Thread-index: AcIILfJYg0L2zT+FQmuQmo7F20/TqwAI/8EA
- Thread-topic: RE: [xml-dev] The sky is falling! XML's dirty secret! Go back!It's a trap!
For people interested in the topic, Amir Herzberg did an article
"Securing XML" in March 2002 Dr. Dobbs Journal, which unfortunately I
cannot find online. If you grab the print version, be sure to read the
letters to editor in the following issue of DDJ for some corrections
from other experts. The article covers the theoretical difficulties in
making the encryption truly secure and talks about how the candidate
recommendation addresses them: http://www.w3.org/TR/xmlenc-core/. I'm
not an expert on crypto, but the article and responses convinced me that
the crypto experts have put a lot of effort into this.
> -----Original Message-----
> From: Simon St.Laurent [mailto:email@example.com]
> Sent: Thursday, May 30, 2002 4:07 PM
> To: firstname.lastname@example.org
> On Thu, 2002-05-30 at 18:46, Mike Champion wrote:
> > I don't know much about encryption, but from reading about
> > cryptanalysis in WWWII it would appear that having a "crib"
> > (a bit of known plaintext) is a useful shortcut to breaking a
> > The tags in an XML message are likely to be known (or easily
> > guessable) by an attacker. So, a straightforward encryption of
> > an entire XML message might be considerably less secure than
> > an encryption of a non-self-describing message.
> I wonder if you could turn that to your advantage by encrypting
> [element] content using different mechanisms on a per-element basis,
> leaving the structure in plaintext. That would leave attackers with a
> skeleton but only small bits of content to analyze.
> Dunno. It likely depends on the algorithm used as well as the level
> repetition in the content, and attributes are a problem as usual.
> Simon St.Laurent
> Ring around the content, a pocket full of brackets
> Errors, errors, all fall down!
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
> The list archives are at http://lists.xml.org/archives/xml-dev/
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>